CN112351008B - Network attack analysis method and device, readable storage medium and computer equipment - Google Patents
Network attack analysis method and device, readable storage medium and computer equipment Download PDFInfo
- Publication number
- CN112351008B CN112351008B CN202011163928.3A CN202011163928A CN112351008B CN 112351008 B CN112351008 B CN 112351008B CN 202011163928 A CN202011163928 A CN 202011163928A CN 112351008 B CN112351008 B CN 112351008B
- Authority
- CN
- China
- Prior art keywords
- query interface
- searching
- name
- source address
- alarm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/069—Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network attack analysis method, a device, a readable storage medium and computer equipment, wherein the network attack analysis method comprises the following steps: when a network attack alarm occurs, reading a first object entity selected by a user; analyzing the first object entity through a preset analysis query interface to generate first query result data, wherein the analysis query interface has query logic information; extracting the query result data to generate a second object entity; analyzing the second object entity through the analysis query interface to generate second query result data; and acquiring the relation between the first query result data and the second query result data, connecting the first object entity and the second object entity through a relation graph, and displaying the relation graph. The method and the device can solve the problems that the learning cost is high and the incidence relation behind the data cannot be visually seen in the prior art.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a network attack analysis method and apparatus, a readable storage medium, and a computer device.
Background
In the network of the present day, various hackers with different purposes exist to carry out network attacks on other individuals or enterprises on the internet so as to achieve the purposes of obtaining benefits, improving prestige, political intention and the like. In the past explosive security events, enterprises have problems about the perception capability of the lost hosts in the network, and often cannot discover attacks in the network in the first time. Hackers can perform long-term incubation in organizations, and perform actions such as information collection, sensitive data theft and even destruction.
In order to strengthen the security perception capability of enterprises, more and more enterprises establish log analysis platforms at present. However, the current log analysis platform has the following problems: the current log analysis platform needs query sentences with complicated data every time data is retrieved, and query grammars of different log platforms are different, so that higher learning cost is caused to users; in addition, the existing log analysis platform is mainly displayed in a list form, and when the threat is traced, the displayed result cannot visually see the association relation behind the data.
Disclosure of Invention
Therefore, an object of the present invention is to provide a network attack analysis method, so as to solve the problems that the learning cost is high and the association relationship behind data cannot be visually seen in the prior art.
The invention provides a network attack analysis method, which comprises the following steps:
when a network attack alarm occurs, reading a first object entity selected by a user;
analyzing the first object entity through a preset analysis query interface to generate first query result data, wherein the analysis query interface has query logic information;
extracting the query result data to generate a second object entity;
analyzing the second object entity through the analysis query interface to generate second query result data;
and acquiring the relationship between the first query result data and the second query result data, connecting the first object entity and the second object entity through a relationship graph, and displaying the relationship graph.
According to the network attack analysis method provided by the invention, the user can directly call the query interface through an interactive method by packaging the query interface to obtain the desired query result data, so that the thresholds of network threat tracing and log analysis are reduced, the learning cost is low, and convenience are realized. In addition, the query result is displayed through the structure of the relational graph, so that the user can visually analyze the relationship between behaviors, the attack source can be positioned more quickly, the attack influence range can be evaluated more quickly, and the user can be helped to quickly understand the relationship behind the data.
In addition, the network attack analysis method according to the present invention may further have the following additional technical features:
further, the analysis query interface comprises an alarm name query interface, a source address and destination address query interface, a source port and destination port query interface, and an HTTP query interface;
the alarm name query interface is used for searching an alarm name according to a source address, or searching an alarm name according to a destination address, or searching an alarm name according to a source host, or searching an alarm name according to a destination host, or searching an alarm name according to a domain name;
the source address and destination address query interface is used for searching a source address according to an alarm name, or searching a destination address according to the source address and the alarm name, or searching a source address according to the destination address and the alarm name, or searching a destination address according to the source address and a destination port;
the source port and the destination port query interface are used for searching the destination port according to a source address, or searching the source port according to a destination address and an alarm name, or searching the destination port according to the source address and the alarm name;
the HTTP query interface is used for searching the request URL according to the alarm name, or searching the request URL according to the source address, or searching the HTTP return status code according to the alarm name, or searching the HTTP return status code according to the source address.
Further, the analysis query interface further includes a DNS domain name query interface, and the DNS domain name query interface is configured to search a DNS domain name according to the source address and the alarm name.
Further, the method specifically comprises:
when a network attack alarm occurs, reading an alarm object entity;
obtaining the source address of the alarm object entity through the source address and the destination address query interface in the analysis query interface;
selecting the source address as an object entity, and calling an alarm name query interface in the analysis query interface to acquire other alarms related to the source address;
selecting other alarms related to the source address as object entities, and calling a source port and a destination port query interface in the analysis query interface to acquire a destination port;
selecting the destination port as an object entity, and calling a source address in the analysis query interface and a destination address query interface to acquire a destination address;
selecting the destination address as an object entity, and calling an alarm name query interface in the analysis query interface to acquire other alarms related to the destination address;
and acquiring the relationship among the query result data of the analysis query interface, connecting the object entities through a relationship graph, and displaying the relationship graph.
Further, the first object entity includes any one of a source address, a destination address, a source port, a destination port, a transport protocol, an application protocol, an alarm name, an event name, a file name, a virus name, a DNS domain name, a request URL, an HTTP return status code, a process name, a user name, an operation, and an operation result.
Another objective of the present invention is to provide a network attack analysis apparatus, so as to solve the problems of low test efficiency and high test cost in the prior art.
The invention provides a network attack analysis device, comprising:
the first reading module is used for reading a first object entity selected by a user when a network attack alarm occurs;
the first analysis module is used for analyzing the first object entity through a preset analysis query interface to generate first query result data, and the analysis query interface has query logic information;
the extraction generation module is used for extracting the query result data to generate a second object entity;
the second analysis module is used for analyzing the second object entity through the analysis query interface to generate second query result data;
and the first display module is used for acquiring the relationship between the first query result data and the second query result data, connecting the first object entity and the second object entity through a relationship graph, and displaying the relationship graph.
According to the network attack analysis device provided by the invention, through packaging the query interface, a user can directly call the query interface through an interactive method to obtain the desired query result data, the thresholds of network threat tracing and log analysis are reduced, the learning cost is low, and convenience are realized. In addition, the query result is displayed through the structure of the relational graph, so that the user can visually analyze the relationship between behaviors, the attack source can be positioned more quickly, the attack influence range can be evaluated more quickly, and the user can be helped to quickly understand the relationship behind the data.
In addition, the network attack analysis device according to the present invention may further include the following additional features:
further, the analysis query interface comprises an alarm name query interface, a source address and destination address query interface, a source port and destination port query interface, and an HTTP query interface;
the alarm name query interface is used for searching an alarm name according to a source address, or searching an alarm name according to a destination address, or searching an alarm name according to a source host, or searching an alarm name according to a destination host, or searching an alarm name according to a domain name;
the source address and destination address query interface is used for searching a source address according to an alarm name, or searching a destination address according to the source address and the alarm name, or searching a source address according to the destination address and the alarm name, or searching a destination address according to the source address and a destination port;
the source port and the destination port query interface are used for searching the destination port according to a source address, or searching the source port according to a destination address and an alarm name, or searching the destination port according to the source address and the alarm name;
the HTTP query interface is used for searching the request URL according to the alarm name, or searching the request URL according to the source address, or searching the HTTP return status code according to the alarm name, or searching the HTTP return status code according to the source address.
Further, the analysis query interface further includes a DNS domain name query interface, and the DNS domain name query interface is configured to search a DNS domain name according to the source address and the alarm name.
Further, the first object entity includes any one of a source address, a destination address, a source port, a destination port, a transport protocol, an application protocol, an alarm name, an event name, a file name, a virus name, a DNS domain name, a request URL, an HTTP return status code, a process name, a user name, an operation, and an operation result.
Further, in one example, the apparatus comprises:
the second reading module is used for reading the alarm object entity when the network attack alarm occurs;
the first query module is used for acquiring the source address of the alarm object entity through the source address and the destination address query interface in the analysis query interface;
the second query module is used for selecting the source address as an object entity and calling an alarm name query interface in the analysis query interface to acquire other alarms related to the source address;
the third query module is used for selecting other alarms related to the source address as object entities and calling a source port and a destination port query interface in the analysis query interface to acquire a destination port;
the fourth query module is used for selecting the destination port as an object entity and calling a source address and a destination address query interface in the analysis query interface to acquire a destination address;
a fifth query module, configured to select the destination address as an object entity, and call an alarm name query interface in the analysis query interface to obtain other alarms related to the destination address;
and the second display module is used for acquiring the relationship among the query result data of the analysis query interface, connecting the object entities through a relationship graph and displaying the relationship graph.
The present invention also proposes a readable storage medium, on which a computer program is stored, which when executed by a processor implements the steps of the above network attack analysis method.
The invention also provides a computer device, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor executes the program to realize the steps of the network attack analysis method.
Additional aspects and advantages of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.
Drawings
The above and/or additional aspects and advantages of embodiments of the present invention will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:
FIG. 1 is a flow diagram of a network attack analysis method according to an embodiment of the invention;
FIG. 2 is a flow diagram of a network attack analysis method according to another embodiment of the invention;
FIG. 3 is a schematic diagram of an exemplary relationship network between a plurality of subject entities;
fig. 4 is a block diagram of a network attack analysis apparatus according to an embodiment of the present invention;
fig. 5 is a block diagram of a network attack analysis apparatus according to another embodiment of the present invention;
fig. 6 is an internal structural view of a computer device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.
Referring to fig. 1, a network attack analysis method according to an embodiment of the present invention at least includes steps S101 to S105.
In S101, when a network attack alarm occurs, a first object entity selected by a user is read. When a user observes suspicious events needing analysis in daily operation and maintenance work, namely when a network attack alarm occurs, a visual interactive interface is provided for the user, and the user can interact by clicking a first object entity, then selects an analysis query interface and issues a query task.
The first object entity includes, but is not limited to, any one of a source address, a destination address, a source port, a destination port, a transport protocol, an application protocol, an alarm name, an event name, a file name, a virus name, a DNS domain name, a request URL, an HTTP return status code, a process name, a user name, an operation, and an operation result.
In S102, the first object entity is analyzed through a preset analysis query interface to generate first query result data, where the analysis query interface has query logic information.
The user can write the query logic information in the analysis query interface in advance, and then package the analysis query interface for calling when needed.
Specifically, the analysis query interface includes an alarm name query interface, a source address and destination address query interface, a source port and destination port query interface, and an HTTP query interface.
The alarm name query interface is used for searching alarm names according to source addresses, or searching alarm names according to destination addresses, or searching alarm names according to source hosts, or searching alarm names according to destination hosts, or searching alarm names according to domain names.
The source address and destination address query interface is used for searching a source address according to an alarm name, or searching a destination address according to the source address and the alarm name, or searching a source address according to the destination address and the alarm name, or searching a destination address according to the source address and a destination port.
The source port and the destination port query interface are used for searching the destination port according to the source address, or searching the source port according to the destination address and the alarm name, or searching the destination port according to the source address and the alarm name.
The HTTP query interface is used for searching the request URL according to the alarm name, or searching the request URL according to the source address, or searching the HTTP return status code according to the alarm name, or searching the HTTP return status code according to the source address.
Optionally, the analysis query interface further includes a DNS domain name query interface, and the DNS domain name query interface is configured to search a DNS domain name according to the source address and the alarm name.
In S103, the query result data is extracted to generate a second object entity. And taking the query result data obtained in the last step as a new object entity again.
The second object entity also includes, but is not limited to, any one of a source address, a destination address, a source port, a destination port, a transport protocol, an application protocol, an alarm name, an event name, a file name, a virus name, a DNS domain name, a request URL, an HTTP return status code, a process name, a user name, an operation, and an operation result.
In S104, the second object entity is analyzed through the analysis query interface to generate second query result data. The analysis can be performed by analyzing any one of an alarm name query interface, a source address and destination address query interface, a source port and destination port query interface, an HTTP query interface, and a DNS domain name query interface in the query interfaces.
In S105, a relationship between the first query result data and the second query result data is obtained, the first object entity and the second object entity are connected by a relationship graph, and the relationship graph is displayed. The relationship between the first object entity and the second object entity can be established according to the relationship between the two query result data, and then the relationship is displayed to the user in a relationship graph mode. ,
in addition, it should be noted that, if the analysis query requirement of the user cannot be met in the preset analysis query interface, the query interface may also be added to be invoked.
According to the network attack analysis method provided by the embodiment, the user can directly call the query interface through an interactive method by packaging the query interface to obtain the desired query result data, so that the thresholds of network threat traceability and log analysis are reduced, the learning cost is low, and convenience are realized. In addition, the query result is displayed through the relational graph structure, so that the user can visually analyze the relationship among behaviors, the attack source can be positioned more quickly, the attack influence range can be evaluated more quickly, and the user can be helped to quickly understand the relationship behind the data.
Another embodiment of the present invention provides a network attack analysis method, which is described in detail by taking an example of an elastic search as a data warehouse and a Python programming implementation data query interface on the basis of the previous embodiment, and please refer to fig. 2, in which the method of the present embodiment includes steps S201 to S207.
S201, when the network attack alarm occurs, reading an alarm object entity. When an alarm occurs, the alarm is intended to trace the occurrence process and the influence range of the whole event, for example, if it is detected that "the host scans a specific port and then initiates an attack on the port", an alarm object entity of "the host scans the specific port and then initiates an attack on the port" is read.
S202, the source address of the alarm object entity is obtained through the source address and the destination address query interface in the analysis query interface. Wherein, by analyzing the source address and the destination address in the query interface, the "search source address according to the alarm name" is selected to obtain the source address "172.16.100.21" triggering the alarm to be changed after the alarm object entity "host scans the specific port and initiates the attack on the port".
S203, selecting the source address as an object entity, and calling an alarm name query interface in the analysis query interface to acquire other alarms related to the source address. The source address "172.16.100.21" is selected as the object entity, and the alarm name query interface in the analysis query interface is called to obtain four other related alarms of the source address according to the source address search alarm name, wherein the intranet host initiates specific port scanning, vulnerability attack-Wannacry attack "," vulnerability attack "," threat intelligence hit-intranet host and malicious domain name communication.
S204, selecting other alarms related to the source address as object entities, and calling a source port and a destination port in the analysis query interface to obtain a destination port.
Wherein, selecting the alarm object entity "intranet host initiates specific port scanning", calling and analyzing the source port and the destination port in the query interface "search the destination port according to the source address and the alarm name" to obtain the source address "172.16.100.21", and initiating the scanning action for the 445 port.
The alarm object entity 'vulnerability attack-Wannacry attack' is selected, the source address and the destination address query interface 'in the query interface is called and analyzed, the destination address is searched according to the source address and the alarm name', the source address '172.16.100.21' is obtained, and the destination address '172.16.100.134' and '172.16.100.18' are attacked once.
Selecting a warning object entity ' vulnerability attack ', calling and analyzing a source address and destination address query interface ' searching a destination address according to the source address and the warning name ' in the query interface ' to obtain a source address ' 172.16.100.21 ', wherein the destination address ' 172.16.100.134 ' and ' 172.16.100.18 ' are attacked once.
Selecting an alarm object entity, namely ' threat intelligence hit-intranet host communicating with a malicious domain name ', calling a DNS domain name query interface in the analysis query interface, and searching the DNS domain name according to a source address and an alarm name to obtain the source address ' 172.16.100.21 ', wherein the DNS domain name ' moving.
S205, selecting the destination port as an object entity, and calling a source address and a destination address query interface in the analysis query interface to acquire a destination address. The destination port object entity "445" is selected, and the source address and destination address query interface "search the destination address according to the source address and the destination port" in the analysis query interface is called to obtain the "445" port of the source address "172.16.100.21" which accesses the destination address "172.16.100.147", "172.16.100.157", "172.16.100.174", "172.16.100.217", "172.16.100.17", "172.16.100.18" and "172.16.100.134".
S206, selecting the destination address as an object entity, and calling an alarm name query interface in the analysis query interface to obtain other alarms related to the destination address. The destination address 172.16.100.134 is selected as an object entity, an alarm name query interface in the analysis query interface is called to search an alarm name according to a source address to obtain that an alarm also exists in the destination address, namely the threat intelligence is hit-an intranet host computer communicates with a malicious domain name, and a DNS domain name query interface in the analysis query interface is called again to search the DNS domain name according to the source address and the alarm name to obtain the destination address 172.16.100.134 which has visited the malicious domain name' moving.
Similarly, the destination address "172.16.100.18" may also be selected as the object entity, the "search for an alarm name according to the source address" to obtain a destination source address with an alarm "also having an alarm" threatening intelligence hit-the intranet host communicates with a malicious domain name "in the analysis query interface is invoked, the" search for a DNS domain name according to the source address and the alarm name "in the analysis query interface is invoked again to obtain the destination address" 172.16.100.18 "that visited the malicious domain name" moving.
S207, obtaining the relation between the query result data of the analysis query interface, connecting the object entities through a relation graph, and displaying the relation graph.
As shown in fig. 3, a relationship network between object entities is obtained, and a conclusion can be clearly drawn from the relationship network: the source address "172.16.100.21" scans the "445" port of the intranet host under the condition of virus infection, and then launches the vulnerability attack to the hosts "172.16.100.134" and "172.16.100.18" to result in success, and three infected hosts "172.16.100.21", 172.16.100.134 "and" 172.16.100.18 "are all connected with the malicious domain name" moving.
Referring to fig. 4, a network attack analysis apparatus according to an embodiment of the present invention includes:
the first reading module 11 is used for reading a first object entity selected by a user when a network attack alarm occurs;
a first analysis module 12, configured to analyze the first object entity through a preset analysis query interface to generate first query result data, where the analysis query interface has query logic information;
an extraction generation module 13, configured to extract the query result data to generate a second object entity;
a second analysis module 14, configured to analyze the second object entity through the analysis query interface to generate second query result data;
the first display module 15 is configured to obtain a relationship between the first query result data and the second query result data, connect the first object entity and the second object entity through a relationship graph, and display the relationship graph.
In this embodiment, the analysis query interface includes an alarm name query interface, a source address and destination address query interface, a source port and destination port query interface, and an HTTP query interface;
the alarm name query interface is used for searching an alarm name according to a source address, or searching an alarm name according to a destination address, or searching an alarm name according to a source host, or searching an alarm name according to a destination host, or searching an alarm name according to a domain name;
the source address and destination address query interface is used for searching a source address according to an alarm name, or searching a destination address according to the source address and the alarm name, or searching a source address according to the destination address and the alarm name, or searching a destination address according to the source address and a destination port;
the source port and the destination port query interface are used for searching the destination port according to a source address, or searching the source port according to a destination address and an alarm name, or searching the destination port according to the source address and the alarm name;
the HTTP query interface is used for searching the request URL according to the alarm name, or searching the request URL according to the source address, or searching the HTTP return status code according to the alarm name, or searching the HTTP return status code according to the source address.
In this embodiment, the analysis query interface further includes a DNS domain name query interface, and the DNS domain name query interface is configured to search for a DNS domain name according to the source address and the alarm name.
In this embodiment, the first object entity includes any one of a source address, a destination address, a source port, a destination port, a transport protocol, an application protocol, an alarm name, an event name, a file name, a virus name, a DNS domain name, a request URL, an HTTP return status code, a process name, a user name, an operation, and an operation result.
According to the network attack analysis device provided by the embodiment, the user can directly call the query interface through an interactive method by packaging the query interface to obtain the desired query result data, so that the thresholds of network threat traceability and log analysis are reduced, the learning cost is low, and convenience are realized. In addition, the query result is displayed through the structure of the relational graph, so that the user can visually analyze the relationship between behaviors, the attack source can be positioned more quickly, the attack influence range can be evaluated more quickly, and the user can be helped to quickly understand the relationship behind the data.
Referring to fig. 5, a network attack analysis apparatus according to another embodiment of the present invention includes:
a second reading module 21, configured to read an alarm object entity when a network attack alarm occurs;
the first query module 22 is configured to obtain a source address of the alarm object entity through a source address in the analysis query interface and a destination address query interface;
a second query module 23, configured to select the source address as an object entity, and invoke an alarm name query interface in the analysis query interface to obtain other alarms related to the source address;
a third query module 24, configured to select another alarm related to the source address as an object entity, and call a source port and a destination port in the analysis query interface to obtain a destination port;
a fourth query module 25, configured to select the destination port as an object entity, and call the source address and the destination address query interface in the analysis query interface to obtain a destination address;
a fifth query module 26, configured to select the destination address as an object entity, and call an alarm name query interface in the analysis query interface to obtain another alarm related to the destination address;
and a second display module 27, configured to obtain a relationship between query result data of the analysis query interface, connect object entities through a relationship graph, and display the relationship graph.
It should be noted that, for specific limitations of the network attack analysis device, reference may be made to the above limitations of the network attack analysis method, which is not described herein again. The modules in the network attack analysis device may be wholly or partially implemented by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent of a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, which may be a terminal, and its internal structure diagram may be as shown in fig. 6. The computer device comprises a processor, a memory, a communication interface, a display screen and an input device which are connected through a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operating system and the computer program to run on the non-volatile storage medium. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless communication can be realized through WIFI, an operator network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement a video frame prediction method. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on a shell of the computer equipment, an external keyboard, a touch pad or a mouse and the like.
Those skilled in the art will appreciate that the architecture shown in fig. 6 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is provided, which includes a memory, a processor, and a computer program stored on the memory and executable on the processor, and the processor implements the steps of the network attack analysis method when executing the program.
The implementation principle and technical effect of the computer device provided by the above embodiment are similar to those of the above method embodiment, and are not described herein again.
In one embodiment, a computer-readable storage medium is provided, on which a computer program is stored, which program, when executed by a processor, implements the steps of the network attack analysis method described above.
The implementation principle and technical effect of the computer-readable storage medium provided by the above embodiments are similar to those of the above method embodiments, and are not described herein again.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above may be implemented by hardware instructions of a computer program, which may be stored in a non-volatile computer-readable storage medium, and when executed, may include the processes of the embodiments of the methods described above. Any reference to memory, storage, database or other medium used in the embodiments provided herein can include at least one of non-volatile and volatile memory. Non-volatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical storage, or the like. Volatile Memory can include Random Access Memory (RAM) or external cache Memory. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is specific and detailed, but not to be understood as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, and these are all within the scope of protection of the present application. Therefore, the protection scope of the present patent application shall be subject to the appended claims.
Claims (10)
1. A network attack analysis method, comprising:
when a network attack alarm occurs, reading a first object entity selected by a user;
analyzing the first object entity through a preset analysis query interface to generate first query result data, wherein the analysis query interface has query logic information;
extracting the query result data to generate a second object entity;
analyzing the second object entity through the analysis query interface to generate second query result data;
and acquiring the relationship between the first query result data and the second query result data, connecting the first object entity and the second object entity through a relationship graph, and displaying the relationship graph.
2. The network attack analysis method according to claim 1, wherein the analysis query interface comprises an alarm name query interface, a source address and destination address query interface, a source port and destination port query interface, and an HTTP query interface;
the alarm name query interface is used for searching an alarm name according to a source address, or searching an alarm name according to a destination address, or searching an alarm name according to a source host, or searching an alarm name according to a destination host, or searching an alarm name according to a domain name;
the source address and destination address query interface is used for searching a source address according to an alarm name, or searching a destination address according to the source address and the alarm name, or searching a source address according to the destination address and the alarm name, or searching a destination address according to the source address and a destination port;
the source port and the destination port query interface are used for searching the destination port according to a source address, or searching the source port according to a destination address and an alarm name, or searching the destination port according to the source address and the alarm name;
the HTTP query interface is used for searching the request URL according to the alarm name, or searching the request URL according to the source address, or searching the HTTP return status code according to the alarm name, or searching the HTTP return status code according to the source address.
3. The network attack analysis method according to claim 2, wherein the analysis query interface further comprises a DNS domain name query interface for searching for a DNS domain name according to the source address and the alarm name.
4. The network attack analysis method according to claim 1, wherein the method specifically comprises:
when a network attack alarm occurs, reading an alarm object entity;
obtaining the source address of the alarm object entity through the source address and the destination address query interface in the analysis query interface;
selecting the source address as an object entity, and calling an alarm name query interface in the analysis query interface to acquire other alarms related to the source address;
selecting other alarms related to the source address as object entities, and calling a source port and a destination port query interface in the analysis query interface to acquire a destination port;
selecting the destination port as an object entity, and calling a source address in the analysis query interface and a destination address query interface to acquire a destination address;
selecting the destination address as an object entity, and calling an alarm name query interface in the analysis query interface to acquire other alarms related to the destination address;
and obtaining the relationship among the query result data of the analysis query interface, connecting the object entities through a relationship graph, and displaying the relationship graph.
5. The network attack analysis method according to claim 1, wherein the first object entity comprises any one of a source address, a destination address, a source port, a destination port, a transport protocol, an application protocol, an alarm name, an event name, a file name, a virus name, a DNS domain name, a request URL, an HTTP return status code, a process name, a user name, an operation, and an operation result.
6. A cyber attack analysis apparatus, comprising:
the first reading module is used for reading a first object entity selected by a user when a network attack alarm occurs;
the first analysis module is used for analyzing the first object entity through a preset analysis query interface to generate first query result data, and the analysis query interface has query logic information;
the extraction generation module is used for extracting the query result data to generate a second object entity;
the second analysis module is used for analyzing the second object entity through the analysis query interface to generate second query result data;
and the first display module is used for acquiring the relationship between the first query result data and the second query result data, connecting the first object entity and the second object entity through a relationship graph, and displaying the relationship graph.
7. The apparatus according to claim 6, wherein the analysis query interface comprises an alarm name query interface, a source address and destination address query interface, a source port and destination port query interface, and an HTTP query interface;
the alarm name query interface is used for searching an alarm name according to a source address, or searching an alarm name according to a destination address, or searching an alarm name according to a source host, or searching an alarm name according to a destination host, or searching an alarm name according to a domain name;
the source address and destination address query interface is used for searching a source address according to an alarm name, or searching a destination address according to the source address and the alarm name, or searching a source address according to the destination address and the alarm name, or searching a destination address according to the source address and a destination port;
the source port and the destination port query interface are used for searching the destination port according to a source address, or searching the source port according to a destination address and an alarm name, or searching the destination port according to the source address and the alarm name;
the HTTP query interface is used for searching the request URL according to the alarm name, or searching the request URL according to the source address, or searching the HTTP return status code according to the alarm name, or searching the HTTP return status code according to the source address.
8. The cyber attack analysis device according to claim 7, wherein the analysis query interface further comprises a DNS domain name query interface for searching a DNS domain name according to a source address and an alarm name.
9. A readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1-5.
10. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method according to any of claims 1 to 5 when executing the program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011163928.3A CN112351008B (en) | 2020-10-27 | 2020-10-27 | Network attack analysis method and device, readable storage medium and computer equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011163928.3A CN112351008B (en) | 2020-10-27 | 2020-10-27 | Network attack analysis method and device, readable storage medium and computer equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112351008A CN112351008A (en) | 2021-02-09 |
| CN112351008B true CN112351008B (en) | 2022-07-22 |
Family
ID=74359106
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011163928.3A Active CN112351008B (en) | 2020-10-27 | 2020-10-27 | Network attack analysis method and device, readable storage medium and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112351008B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114760189A (en) * | 2022-03-30 | 2022-07-15 | 深信服科技股份有限公司 | Information determination method, equipment and computer readable storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP3223495A1 (en) * | 2016-03-21 | 2017-09-27 | Light Cyber Ltd | Detecting an anomalous activity within a computer network |
| CN110474885A (en) * | 2019-07-24 | 2019-11-19 | 桂林电子科技大学 | Alert correlation analysis method based on time series and IP address |
| CN110933101A (en) * | 2019-12-10 | 2020-03-27 | 腾讯科技(深圳)有限公司 | Security event log processing method, device and storage medium |
| CN111490970A (en) * | 2020-02-19 | 2020-08-04 | 西安交大捷普网络科技有限公司 | Tracing analysis method for network attack |
-
2020
- 2020-10-27 CN CN202011163928.3A patent/CN112351008B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP3223495A1 (en) * | 2016-03-21 | 2017-09-27 | Light Cyber Ltd | Detecting an anomalous activity within a computer network |
| CN110474885A (en) * | 2019-07-24 | 2019-11-19 | 桂林电子科技大学 | Alert correlation analysis method based on time series and IP address |
| CN110933101A (en) * | 2019-12-10 | 2020-03-27 | 腾讯科技(深圳)有限公司 | Security event log processing method, device and storage medium |
| CN111490970A (en) * | 2020-02-19 | 2020-08-04 | 西安交大捷普网络科技有限公司 | Tracing analysis method for network attack |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112351008A (en) | 2021-02-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP7018920B2 (en) | Confidential information processing methods, devices, servers, and security decision systems | |
| US11188650B2 (en) | Detection of malware using feature hashing | |
| CN109586282B (en) | Power grid unknown threat detection system and method | |
| RU2726032C2 (en) | Systems and methods for detecting malicious programs with a domain generation algorithm (dga) | |
| CN113489713B (en) | Network attack detection method, device, equipment and storage medium | |
| US8256000B1 (en) | Method and system for identifying icons | |
| CN101964026A (en) | Method and system for detecting web page horse hanging | |
| US20190222587A1 (en) | System and method for detection of attacks in a computer network using deception elements | |
| US9973525B1 (en) | Systems and methods for determining the risk of information leaks from cloud-based services | |
| CN104866770B (en) | Sensitive data scanning method and system | |
| CN111737692B (en) | Application program risk detection method and device, equipment and storage medium | |
| CN111460445A (en) | Method and device for automatically identifying malicious degree of sample program | |
| CN106250761B (en) | Equipment, device and method for identifying web automation tool | |
| CN110704816B (en) | Interface cracking recognition method, device, equipment and storage medium | |
| CN113190839A (en) | Web attack protection method and system based on SQL injection | |
| US10951645B2 (en) | System and method for prevention of threat | |
| CN112351008B (en) | Network attack analysis method and device, readable storage medium and computer equipment | |
| US11275833B2 (en) | System and method for detecting a malicious file using image analysis prior to execution of the file | |
| CN113839944B (en) | Method, device, electronic equipment and medium for coping with network attack | |
| CN114900375A (en) | Malicious threat detection method based on AI graph analysis | |
| CN115643044A (en) | Data processing method, device, server and storage medium | |
| CN112182561B (en) | Rear door detection method and device, electronic equipment and medium | |
| CN114531294A (en) | Network anomaly sensing method and device, terminal and storage medium | |
| US20210266341A1 (en) | Automated actions in a security platform | |
| CN107908961B (en) | Malicious webpage detection method, equipment and storage medium based on virtualization |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |